一,配置https
1,安裝好httpd服務后,安裝mod_ssl模塊
//首先查看是否安裝mod_ssl
[root@contos7 ~]# rpm -qa | grep mod_ssl
//安裝mod_ssl模塊
[root@contos7 ~]# yum install mod_ssl
2,在/etc/httpd/conf.modules.d/目錄查看是否自動生成00-ssl.conf文件
[root@contos7 ~]# cd /etc/httpd/conf.modules.d/
[root@contos7 conf.modules.d]# ls
//查看00-ssl.conf里面,如下內容是否取消了注釋,如果沒有就取消注釋
LoadModule ssl_module modules/mod_ssl.so
3,申請CA證書
要生成證書就需要為服務端生成私鑰,並用它來為其提供證書文件;
[root@contos7 ~]# cd /etc/pki/CA
[root@contos7 /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
.........................................................++
e is 65537 (0x10001)
[root@contos7 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@contos7 /etc/pki/CA]# touch index.txt
[root@contos7 /etc/pki/CA]# echo 00 > serial
[root@contos7 /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl
[root@contos7 /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/
[root@contos7 /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[root@contos7 /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
[root@contos7 /etc/httpd/conf.d/ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@contos7 /etc/httpd/conf.d/ssl]# cp /etc/pki/CA/cacert.pem .
[root@contos7 /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
.........................................................++
e is 65537 (0x10001)
[root@contos7 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@contos7 /etc/pki/CA]# touch index.txt
[root@contos7 /etc/pki/CA]# echo 00 > serial
[root@contos7 /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl
[root@contos7 /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/
[root@contos7 /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[root@contos7 /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
[root@contos7 /etc/httpd/conf.d/ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
[root@contos7 /etc/httpd/conf.d/ssl]# cp /etc/pki/CA/cacert.pem .
4,編輯.conf配置文件
將代碼修改為下列三行
[root@contos7 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
5,修改配置文件
[root@contos7 ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:443>
ServerName www.baidu.com
DocumentRoot "/app/website1"
CustomLog "logs/www.baidu.com_access_log" combined
<Directory "/app/website1">
Require all granted
</Directory>
</VirtualHost>
~
<VirtualHost *:443>
ServerName www.baidu.com
DocumentRoot "/app/website1"
CustomLog "logs/www.baidu.com_access_log" combined
<Directory "/app/website1">
Require all granted
</Directory>
</VirtualHost>
~
6,配置.conf文件,如果已經安裝mod_ssl.so模塊,那么在conf.d目錄(或相似目錄,根據個人配置而言)會存在ssl.conf文件,用於配置https請求,在conf.modules.d會增加00-ssl.conf文件用於加載模塊
ssl.conf配置(各參數含義可參考配置文件中注釋說明):
SSLProtocol all-SSLV2 -S5LV3
#SSLProtocol all TLSVI TLSV1.2
#SSLProtocol all TLSVI TLSV1.2
#SSL Cipher Suite:
#List the ciphers that the client is permitted to negotiate.
#See the mod ssl documentation for a complete list.
#SSLCipherSuite HIGH:MEDIUM: !aNULL: !MD5: !SEED: !IDEA
SSLCipherSuite HIGH: IRC4: IMD5:laNULL:leNULL: INULL: IDH: IEDH: !EXP : +MEDIUM
#Speed-optimized SSL Cipher configuration:
#If speed is your main concern (on busy HTTPS servers e.g.),
#you might ant to force clients to specific,performance
#optimized ciphers. In this case,prepend those ciphers
#to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#Caveat: by giving precedence to 4-SHA and AES128-SHA
#(as in the example below),most connections will no longer
#have perfect forward secrecy - if the server's key is
#compromised, captures of past or future traffic must be
#considered compromised,too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM: ! aNULL: !MD5
SSLHonorCipherorder on
7,重新啟動服務
[root@contos7 ~]# systemctl restart httpd